New adapter - Apester

[anna-y-perion]

Documentation PR:
prebid/prebid.github.io#6448

[ChrisHuie]

AGENT TESTING PR REVIEW

PR #4698 Review: New Adapter - Apester

Author: anna-y-perion | Type: Alias-Only (with userSync) | CI: Clean (all checks passed)

---

Triage Manifest

Field	Value
PR Type	alias-only
Files	1 file: static/bidder-info/apester.yaml [added]
Bidder affected	apester (alias of vidazoo)
Skills activated	bidder-info-pr-review only
Cross-skill concerns	None detected
CI Status	Clean (validate 1.23.x, validate 1.24.x, validate-merge, notify — all passed)

File Routing

Skill	Files
bidder-info	static/bidder-info/apester.yaml [added]
bidder-params	—
adapter-code	—

---

Issues Found

FAIL: Iframe sync URL has SSL certificate mismatch — sync.apester.com serves cert for *.exco-pb.com

The declared iframe sync URL at https://sync.apester.com/api/user/html/... fails SSL verification. The server presents a certificate for *.exco-pb.com (Sectigo, valid until Oct 11, 2026) instead of a certificate matching sync.apester.com. This causes TLS handshake failures — curl returns exit code 60 (SSL certificate problem) and HTTP status 000.

PBS user sync requests will fail against this endpoint until the certificate is corrected. Either:

1. Fix the SSL certificate on sync.apester.com to match the hostname, OR
2. Use a different sync domain that has a valid matching certificate

File: static/bidder-info/apester.yaml, userSync.iframe.url

---

WARN: Missing capabilities field — relying entirely on parent inheritance

The alias file does not declare capabilities. These will be inherited from the parent vidazoo adapter (site: [banner, video], app: [banner, video]). This is valid alias behavior, but worth confirming the intent is to support all parent capabilities, including app context.

File: static/bidder-info/apester.yaml

---

INFO: No endpointCompression declared — parent uses gzip

The parent vidazoo adapter declares endpointCompression: gzip. The alias does not declare this field, so it will inherit gzip compression from the parent. This is correct behavior but noted for completeness.

---

Field-by-Field Verification

1. aliasOf: "vidazoo"

Check	Result	Evidence
Parent exists	PASS	static/bidder-info/vidazoo.yaml exists on master
No alias chain	PASS	vidazoo has no aliasOf field — it is a standalone adapter
White-label compliance	PASS	Apester is a separate organization using vidazoo's bidding infrastructure via alias — correct approach
Endpoint domain differs	PASS	Alias uses bidder.apester.com vs parent's prebidsrvr.cootlogix.com — different domains
Alias completeness	PASS	maintainer.email is present for partner contact

2. endpoint: "https://bidder.apester.com/openrtb/"

Check	Result	Evidence
URL format	PASS	Well-formed HTTPS URL
Reachability	PASS	HTTP 200 on POST, 0.80s response time
SSL/TLS	PASS	Sectigo cert (CN=bidder.apester.com), valid Feb 15, 2026 – Feb 15, 2027
Domain ownership	PASS	bidder.apester.com — Apester is a known content platform. Domain matches bidder name
No hardcoded credentials	PASS	Clean URL
No template macros	PASS	No {{...}} present

3. maintainer.email: "roni.katz@apester.com"

Check	Result	Evidence
Email format	PASS	Valid format user@domain.tld
Domain consistency	PASS	apester.com matches the bidder name and endpoint domain

4. gvlVendorID: 354

Check	Result	Evidence
Value range	PASS	Positive integer
GVL lookup	PASS	Vendor 354 = Apester Ltd
Company name match	PASS	"Apester Ltd" matches the bidder name "apester" exactly
Alias GVL limitation	INFO	Note: aliases currently cannot override the base adapter's GVL vendor ID in PBS. Parent vidazoo has GVL ID 744 (Vidazoo Ltd). The declared gvlVendorID: 354 may not take effect for consent checks due to this known limitation

5. userSync.iframe

Check	Result	Evidence
URL format	PASS	Well-formed HTTPS URL
Reachability	FAIL	SSL certificate mismatch — server presents *.exco-pb.com cert instead of sync.apester.com. Connection fails with TLS error (curl exit 60)
SSL/TLS	FAIL	Certificate CN=*.exco-pb.com does not match hostname sync.apester.com. Cert issuer: Sectigo, valid until Oct 11, 2026 — cert itself is not expired, just mismatched
Macro: {{.GDPR}}	PASS	Valid macro
Macro: {{.GDPRConsent}}	PASS	Valid macro
Macro: {{.USPrivacy}}	PASS	Valid macro
Macro: {{.RedirectURL}}	PASS	Valid macro
Macro: {{.GPP}}	PASS	Valid macro
Macro: {{.GPPSID}}	PASS	Valid macro
userMacro: ${userId}	PASS	Matches parent vidazoo's userMacro format exactly
Domain consistency	FAIL	sync.apester.com presents as *.exco-pb.com — unclear domain ownership

6. PR-Level Checks

Check	Result	Evidence
Documentation PR	WARN	No documentation PR linked in PR description (description is null/empty)
Duplicate PR check	PASS	No other open PRs for "apester"
CI status	PASS	All 4 checks passed (validate 1.23.x, validate 1.24.x, validate-merge, notify)

---

Cross-Field Validation

Rule	Result	Evidence
Alias consistency	PASS	No explicit capabilities declared — inherits from parent (valid)
GPP consistency	INFO	Sync URL includes {{.GPP}} and {{.GPPSID}} macros. Parent vidazoo has openrtb.gpp_supported: true which will be inherited
GDPR compliance	PASS	gvlVendorID is set (354), sync URL includes GDPR macros
Sync domain vs endpoint domain	INFO	Endpoint uses bidder.apester.com, sync uses sync.apester.com — same base domain, but sync domain has SSL mismatch

---

Recommendation: Request Changes

This is an alias-only adapter PR with a clean structure — Apester correctly aliases vidazoo with its own endpoint, maintainer, GVL ID, and userSync configuration. The bidding endpoint is live and has valid SSL. However, there is one blocking issue:

1. Must fix: The iframe sync URL at sync.apester.com has an SSL certificate mismatch (serves *.exco-pb.com instead). User sync will fail until the certificate is corrected or an alternative sync domain is provided.
2. Should fix: Add a PR description linking a companion documentation PR (prebid.github.io)
3. Be aware: The gvlVendorID: 354 (Apester Ltd) may not override parent vidazoo's GVL ID 744 (Vidazoo Ltd) due to a known PBS alias limitation

---

Task Completion Summary

Task #	Subject	Status
1	PR Triage: Classify PR type, route files, check CI	Completed
2	Verify apester: aliasOf field	Completed
3	Verify apester: endpoint field	Completed
4	Verify apester: maintainer.email field	Completed
5	Verify apester: gvlVendorID field	Completed
6	Verify apester: userSync.iframe field + macros	Completed
7	PR-level: Documentation PR and duplicate check	Completed
8	Produce final review summary for PR #4698	Completed

Skills Called

Skill	Outcome
pr-triage	Executed inline — file categorization (1 file, alias-only), CI check (all 4 passed), cross-skill concerns (none)
bidder-info-pr-review	Executed inline — alias validation, endpoint reachability (200), SSL (Sectigo, valid Feb 2027), GVL (354 = Apester Ltd), userSync (SSL mismatch FAIL)

Code / Commands Executed

Command	Purpose	Result
curl -X POST https://bidder.apester.com/openrtb/	Endpoint reachability	HTTP 200, 0.80s
openssl s_client -connect bidder.apester.com:443	SSL certificate details	Sectigo, CN=bidder.apester.com, valid until Feb 15, 2027
curl https://sync.apester.com/api/user/html/...	Iframe sync URL reachability	FAIL — SSL cert mismatch, exit code 60
openssl s_client -connect sync.apester.com:443	Sync SSL certificate details	CN=*.exco-pb.com (MISMATCH), Sectigo, valid until Oct 11, 2026
curl vendor-list.consensu.org | python3 (vendor 354)	GVL vendor lookup	"Apester Ltd" confirmed

WebFetch API Calls

URL	Purpose
api.github.com/.../pulls/4698	PR metadata (title, author, labels)
api.github.com/.../pulls/4698/files	File list + patches
api.github.com/.../pulls/4698/commits	Head SHA for CI check
api.github.com/.../commits/{sha}/check-runs	CI status (all 4 passed)
api.github.com/.../pulls/4698/comments	Existing review comments (none)
api.github.com/.../issues/4698/comments	Existing PR comments (none)
raw.githubusercontent.com/.../vidazoo.yaml	Parent adapter YAML for alias validation
api.github.com/search/issues?q=apester	Duplicate PR check (none found)

[anna-y-perion]

Hi,
@danylo-kazymyrov-teqblaze , @przemkaczmarek
I have seen the certificate problem. We have managed to fixed it. Please run this check again.

I have a question about this statement:
Alias GVL limitation
Note: aliases currently cannot override the base adapter's GVL vendor ID in PBS. Parent vidazoo has GVL ID 744 (Vidazoo Ltd). The declared gvlVendorID: 354 may not take effect for consent checks due to this known limitation

During one of other alias creation it was told that this field gvlVendorID will override the parent field. Is it a changed behavior? Is there any possible solution to this?
Thank you in advance.

[ChrisHuie]

@anna-y-perion

Alias GVL limitation Note: aliases currently cannot override the base adapter's GVL vendor ID in PBS. Parent vidazoo has GVL ID 744 (Vidazoo Ltd). The declared gvlVendorID: 354 may not take effect for consent checks due to this known limitation

During one of other alias creation it was told that this field gvlVendorID will override the parent field. Is it a changed behavior? Is there any possible solution to this?

Yeah sorry. This agent learned from past prs but looks like this was super recently changed... So disregard that statement and I will make sure and update the agent so it better understands this.

The fix in 5dbaf35 ensures aliases must explicitly declare their own GVL ID (they don't inherit from the parent), and that declared ID is what gets used in GDPR consent enforcement.

[przemkaczmarek]

vaiting for response

[przemkaczmarek]

I think You should add a generic email

[ChrisHuie]

the agent missed this. It should be

[przemkaczmarek]

Please cheange email

[danylo-kazymyrov-teqblaze]

@anna-y-perion pls chnage the email. It should be general email address, not personal (i.e. tech/support/etc@apester.com)

[przemkaczmarek]

verified:

[przemkaczmarek]

endpoint i reachable:

[przemkaczmarek]

wroks

[danylo-kazymyrov-teqblaze]

LGTM